ISO-31000-CLA Sample Questions Answers

According to 1, page 15-16, external risks are “those arising from events outside the organization” and marketplace risks are “those arising from changes in market conditions such as customer demand, competition, regulation”. Economic changes in different countries can affect the market conditions for an international bank’s operations.

Uncertainty leads to a changing context2. This means that uncertainty creates variability in outcomes and expectations, which may affect the objectives and scope of risk management.

According to 1, there are four types of potential risk strategies for threats: avoid (eliminate or change), transfer (share or outsource), mitigate (reduce or control), accept (retain or monitor). There are also four types of potential risk strategies for opportunities: exploit (ensure or enhance), share (allocate or collaborate), enhance (increase or maximize), accept (acknowledge or watch).

Risk management is core to governance and compliance4. Risk management helps to ensure that organizational objectives are achieved in a lawful, ethical, and transparent manner.

According to 3, a captive insurance company is “a wholly owned subsidiary insurer that provides risk mitigation services for its parent company or related entities”. It can act as a reinsurer by accepting risks from other insurers or captives 1. It can also access reinsurance markets to transfer some of its own risks 1. It can sometimes offer greater cover than is available in the insurance market by tailoring its policies to suit its parent’s needs 3. It does not have to be located in the same country as its parent company; in fact, many captives are domiciledoffshore for tax or regulatory reasons 4.

According to 3, clause 6.5., monitoring and review “is intended as a feedback loop for checking whether any change has occurred either internally or externally that may affect performance against objectives”. It helps to ensure that the risk management process remains relevant and effective over time.

Treatment plan provides a roadmap on how the treatment options will be deployed3. Treatment plan helps to define the objectives, scope, responsibilities, resources, timeframe, and monitoring mechanisms for implementing risk treatment actions.

The Chief Risk Officer chairs the ERM/RM steering committee. The ERM/RM steering committee oversees the organization’s risk management activities and provides guidance and support to senior management.

According to , page 9, defining the context involves “understanding what influences people’s perception and tolerance of risks”. Discussing how girls are viewed by community members can help identify potential sources of resistance, conflict or violence that may affect the project’s objectives and outcomes.

DBMS (Database Management System) and RDBMS (Relational Database Management System) can result in artifacts and records1. These systems are used to store, organize, and manipulate data that can be used for risk management purposes.

According to 3, page 7, one of the current trends in auditing, risk management and compliance is “increasing expectations for internal auditors to take a more focused oversight role with respect to enterprise-wide governance processes”. Internal auditors can provide independent assurance on how well an organization manages its risks using various tools such as audits, reviews, assessments and evaluations.

External and internal risks are significant risks of reporting that are outside the risk appetite of the organization and can impact compliance, which may also be reportable to regulatory agencies1. These risks may arise from external factors such as market changes, natural disasters, or cyberattacks, or internal factors such as human errors, fraud, or system failures.

According to ISO/IEC Guide73 (2009), clause B., causes are “elements which alone or in combination have potential to give rise to risk”. Health, safety, environment, finance andchemical breakdown are examples of causes that can create risks for an organization or an individual 1. Insurance is not a cause but a method of transferring or mitigating some types of risks 1.

According to 1, ISO 31000 is a family of standards relating to risk management codified by the International Organization for Standardization (ISO). It provides principles and guidelines on managing risks that could affect organizations.

Level of risk is described in terms of consequence and likelihood. Consequence means the outcome or impact of a risk event on objectives. Likelihood means how probable it is that a risk event will occur.

According to 3, page 6, one of the current trends in auditing, risk management and compliance is “moving from a back-office function providing lagging indicators about risk (e.g., audit findings) to a front-office function providing leading indicators about risk (e.g., key risk indicators)”.

A governance, risk and compliance (GRC) framework is expected to improve efficiency by aligning strategy, processes, technology and people. GRC aims to integrate these elements to achieve organisational objectives while managing risks and complying with regulations.

According to , page 11, scenario based risk identification involves “creating different scenarios based on varying assumptions about how events might unfold”. This can help explore alternative ways to achieve an objective under different circumstances.

A primary benefit of a commercial customer self-insuring a risk is that its short-term cash-flow position is likely to improve. This is because self-insurance reduces or eliminates insurance premiums and administrative costs associated with external insurers.

According to , page 7-8, one of the roles of risk management in the strategic planning process is to identify threats and opportunities that could affect the organization’s objectives and performance.

According to , page 9, one of the current trends in auditing, risk management and compliance is “shifting from auditing people to auditing processes”. This means that internal auditors focus more on how well an organization’s processes are designed and implemented to achieve its objectives and manage its risks.

According to 1, OCEG GRC model is “a framework for integrating governance, risk management, compliance and ethics/culture into a single capability”. It defines risk management as “the capability that enables an organization to understand how uncertainty affects its ability to achieve objectives” 2.

Monte Carlo simulation is a risk analysis technique that uses random variables to model uncertainty and generate possible outcomes2. This helps to assess the probability and impact of different scenarios.

Transparency and inclusiveness are key ISO 31000:2018 attributes. Transparency means that risk management activities are visible, understandable, and verifiable by relevant stakeholders. Inclusiveness means that appropriate stakeholders are involved in risk management decisions and actions.

Risk management processes, outcomes, and activities should be traceable5. This means that there should be a clear record of how risks were identified, analyzed, evaluated, treated, monitored, reviewed, and communicated.

Residual risk is the type of risk that remains after risk treatment has been applied1. Residual risk reflects the remaining exposure or uncertainty after taking into account existing controls.

the last step of the risk assessment process, which starts with risk identification, moves to risk assessment, and finally risk evaluation, is Risk evaluation.

Risk evaluation involves comparing the estimated level of risk against the risk criteria established during the risk assessment phase, to determine the significance of the risk and whether it is acceptable or not. This decision is made in consultation with stakeholders, who may provide additional context and information to inform the decision.

The American Society for Quality (ASQ) describes risk evaluation as "the process of comparing an estimated risk against given risk criteria to determine the acceptability of the risk." [1]

Similarly, ISO/IEC 27001:2013 (Information technology — Security techniques — Information security management systems — Requirements) defines risk evaluation as "the process of comparing the estimated risk against given risk criteria in order to determine the significance of the risk." [2]

References: [1] ASQ Glossary - Risk evaluation, https://asq.org/quality-resources/risk-evaluation  [2] ISO/IEC 27001:2013, Clause 6.1.3(c), https://www.iso.org/standard/54534.html